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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including tine fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
2/17/2009 has been entered. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1 -5,7-1 6 and 1 8-23 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or deschbed as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1-5, 7, 8, and 18-23 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Pochon et al. (US 2003/0048793), of record, in view of Ahmed et al. 
(US 2004/0083385) and further in view of Hamadeh et al. (US 2004/0093521). 
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Pochon discloses method and apparatus for data normalization comprising the 
following features. 

Regarding claims 1, 20, and 21, a method/system/computer readable storage 
medium comprising computer instructions for assembling fragmented network traffic, 
comprising: detecting in the fragmented network traffic an anomaly that could result in 
two or more fragments contained in the fragmented network traffic being reassembled 
at a monitoring node to obtain a reassembled data flow that is different than a 
corresponding data as reassembled at a destination node to which the fragmented 
network traffic is addressed (see [0089]-[0093], esp. [0093], where an NIDS checks to 
determine whether there is a conflict between previously received fragments and a 
currently received fragment, i.e. check to determine if there is an anomaly, see also 
[0022]-[0026]); and performing further processing on the fragmented network traffic 
having the anomaly (see [0093], where the fragmented network traffic having the 
anomaly is discarded). 

Regarding claims 2 and 18, wherein detecting an anomaly comprises 
determining that said two or more fragments overlap (see [0022]-[0026). 

Regarding claim 3, wherein determining that said two or more fragments overlap 
comprises reading a header value associated with one of the fragments (see [0091]- 
[0092]). 

Regarding claim 4, wherein the header value comprises an offset value (see 
[0091]-[0092]). 
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Regarding claims 5 and 19, wherein detecting an anomaly comprises 
determining that said two or more fragments overlap and that at least two of said 
fragments comprise different data for an overlapping portion of said fragments (see 
[0022]-[0026]). 

Pochon disclosed the claimed limitations above. Pochon does not expressly 
disclose the following features: regarding claims 1, 20, and 21 , initiating in response to 
detecting said anomaly expanded buffering of fragments contained in said fragmented 
network traffic; and performing a query to determine configuration information 
associated with how the destination node is configured to reassemble overlapping 
fragments; regarding claims 7 and 22, querying the destination node; regarding claims 8 
and 23, querying an information base. 

Ahmed discloses dynamic network security apparatus and methods for network 
processors comprising the following features. 

Regarding claims 1, 20, and 21, initiating in response to detecting said anomaly 
expanded buffering of packets contained in the packet network traffic (see increasing 
the size of the connection queue when detecting a TCP SYN attack recited in [0030]); 
and performing a query to determine configuration information (see processing a query 
to determine configuration information associated with the communication network 
recited in [0034-0035]). 

Regarding claims 7 and 22, querying the destination node (see [0034-0035]). 

Regarding claims 8 and 23, querying a information base (see [0034-0035]). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the method/system/computer readable storage medium of Pochon 
by using features, as taught by Ahmed, in order to dynamically load a security algorithm 
in a network processor based on network conditions (Ahmed: [0001]) and allow a more 
careful examination of the suspicious packet to determine whether the packet is benign 
or malicious. 

Pochon and Ahmed disclosed the claimed limitations above. They do not 
explicitly disclose the following features: regarding claims 1 , 20, and 21 , how the 
destination node is configured to reassemble overlapping fragments. 

Hamadeh discloses real-time packet traceback and associated packet marking 
strategies comprising the following features. 

Regarding claims 1, 20, and 21, determining configuration information associated 
with how the destination node is configured to reassemble overlapping fragments (see 
[114-118] and Fig. 7, where configuration information related to reconstruction algorithm 
the destination is used to reconstruct overlapping fragments is determined to form a set 
of IP addresses). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
of the invention to modify the method/system/computer readable storage medium of 
Pochon and Ahmed by using features, as taught by Hamadeh, in order to be able to 
determine the source of an attack within few minutes of its launch and while the attack 
is still ongoing. Hence, the reconstruction for traceback provides real-time identification 
of the addresses of routers involved in the attack. 



Application/Control Number: 10/775,537 Page 6 

Art Unit: 2416 

5. Claims 9-16 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Pochon et al. (US 2003/0048793), of record, in view of Ahmed et al. (US 2004/0083385) 
and further in view of Hamadeh et al. (US 2004/0093521) and Cantrell et al. (US 
2004/0093513). 

Pochon, Ahmed, and Hamadeh disclosed the claimed limitations above. Pochon 
also discloses the following features. 

Regarding claim 9, performing further processing comprises reassembling the 
fragmented network traffic (see [0039]-[0040]). 

They do not explicitly disclose the following features: regarding claim 9, 
generating more than one variant of the reassembled data flow; 

Cantrell discloses active network defense system and method comprising the 
following features. 

Regarding claim 9, generating more than one variant of the reassembled data 
flow (see [0026] and [0062]-[0065]). 

Regarding claim 10, processing the anomaly to determine whether the 
fragmented network traffic is associated with a threat (see [0065]). 

Regarding claim 1 1 , performing an action on the fragmented network traffic 
based on whether the fragmented network traffic is associated with a threat (see 
[0063]). 

Regarding claim 12, discarding at least a portion of the fragmented network 
traffic if the fragmented network traffic is associated with a threat (see [0063]). 
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Regarding claim 13, copying one or more fragments comprising the fragmented 
network traffic to a buffer (see [0065], where it is implicit that the traffic is copied to a 
buffer). 

Regarding claim 14, performing further processing comprises sending an alert 
(see [0063]). 

Regarding claim 15, performing further processing comprises determining 
whether the fragmented network traffic should be blocked (see [0063]). 

Regarding claim 16, performing further processing comprises determining 
whether the fragmented network traffic should be forwarded to the destination node 
(see [0063]). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
of the invention to modify the method/system/computer readable storage medium of 
Pochon, Ahmed, and Hamadeh by using features, as taught by Cantreii, in order to 
monitor and block traffic in an automated fashion, identify threats existing across 
multiple sessions and within individual sessions, block threatening packet traffic and 
terminate threatening sessions, extract suspicious traffic from the data flow for further 
examination with more comprehensive content matching as well as asset risk analysis, 
and provide a flow control mechanism to control passage rate for packets passing 
through the data flow. See the abstract. 
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Conclusion 

6. Any inquiry concerning this communication or earlier communications from tine 
examiner should be directed to TUNG Q. IRAN whose telephone number is (571)272- 
9737. The examiner can normally be reached on Mon-Fri: 7:30 am - 5 pm, off 

alternative Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kwang B. Yao can be reached on (571) 272-3182. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

U. Q. T./ 

Examiner, Art Unit 2416 
/Kwang B. Yao/ 

Supervisory Patent Examiner, Art Unit 2416 



